CEOs deserve jail for data breaches

A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail.

By
John E Dunn
| Apr 08, 2008

Share

TwitterFacebookLinkedInGoogle Plus

A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail.

The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches – something that does already happen in some cases in the UK – while 59 percent were in favour of compensation for consumers affected by a breach.

The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment.

Although this was a small poll of the sort that IT companies regularly drum up to use as PR after industry shows, the numbers give another indication of the changing attitudes towards the well-paid captains when it comes to taking responsibility for security.

And how about the number of respondents who believed that the IT department should bear ultimate responsibility? A meagre five percent.

Almost all agreed that the world now needed a global body to oversee cooperation on data security, complete with the power to enforce action.

The tendency to point the finger of blame at company boards probably has something to do with the apparent causes of poor security. Forty-five percent thought this was down to cost – boards are often blamed for not spending enough unless forced to – while 45 percent also named the fact that data security just wasn’t high enough on the list of company priorities.

“This survey indicates a strengthening opinion for action to be taken against cybercrime and data loss on a broader scale than ever before. We do expect to see more stringent regulation for security breaches, including those that involve the loss of personal data,” said Mart Murtagh of Websense.

Data security tends to be someone else’s problem, no matter who you ask. Board-level managers complain that they don’t have ‘visibility’ on the problems, while IT departments traditionally whine about a lack of resources. It’s not clear that holding the threat of jail time over the heads of senior managers will lead to more rational security policies, however. Indeed, it might lead to ultra-caution or to the appointments of scapegoats to take the blame when things go wrong, leaving the underlying problems to fester.